summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAllan Sandfeld Jensen <allan.jensen@qt.io>2020-05-01 10:35:02 +0200
committerAllan Sandfeld Jensen <allan.jensen@qt.io>2020-05-04 20:22:53 +0200
commit6ebef2eb9a6a3630f9142fb040c3f87ba8eeac8e (patch)
tree82675cd6c62234f483d167fcadf31859721e56b0
parent821e71fded090d815b5cd396057ac9823874fe1f (diff)
Fix 32bit integer overflow in ICC parsingv5.15.0-rc1
Change-Id: I98c413374374a6143733860aa9bab1a957cd3b2d Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> Reviewed-by: Marc Mutz <marc.mutz@kdab.com>
-rw-r--r--src/gui/painting/qicc.cpp3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/gui/painting/qicc.cpp b/src/gui/painting/qicc.cpp
index 2b5cd58fb1..b7c8e8f824 100644
--- a/src/gui/painting/qicc.cpp
+++ b/src/gui/painting/qicc.cpp
@@ -225,7 +225,7 @@ static bool isValidIccProfile(const ICCProfileHeader &header)
}
// Don't overflow 32bit integers:
- if (header.tagCount >= INT32_MAX / sizeof(TagTableEntry)) {
+ if (header.tagCount >= (INT32_MAX - sizeof(ICCProfileHeader)) / sizeof(TagTableEntry)) {
qCWarning(lcIcc, "Failed tag count sanity");
return false;
}
@@ -629,6 +629,7 @@ bool fromIccProfile(const QByteArray &data, QColorSpace *colorSpace)
// Read tag index
const TagTableEntry *tagTable = (const TagTableEntry *)(data.constData() + sizeof(ICCProfileHeader));
const qsizetype offsetToData = sizeof(ICCProfileHeader) + header->tagCount * sizeof(TagTableEntry);
+ Q_ASSERT(offsetToData > 0);
if (offsetToData > data.size()) {
qCWarning(lcIcc) << "fromIccProfile: failed index size sanity";
return false;